WordPress Plugin Vulnerabilities

Multiple Plugins from Addify - Multiple CSRF

Description

The plugins have flawed CSRF checks in various places, which could allow attackers to make logged in users perform unwanted actions

Proof of Concept

Affects Plugins

Plugin icon
addify-checkout-fields-manager
Fixed in 1.0.2
Plugin icon
addify-abandoned-cart-recovery
Fixed in 1.2.5
Plugin icon
addify-custom-fields-for-woocommerce
Fixed in 1.0.4
Plugin icon
addify-custom-order-number
Fixed in 1.2.0
Plugin icon
addify-custom-registration-forms-builder
Fixed in 1.0.2
Plugin icon
addify-free-gifts-woocommerce
Fixed in 1.0.2
Plugin icon
addify-gift-registry-for-woocommerce
Fixed in 1.1.0
Plugin icon
addify-image-watermark-for-woocommerce
Fixed in 1.0.1
Plugin icon
addify-order-approval-woocommerce
Fixed in 1.1.0
Plugin icon
addify-order-tracking-for-woocommerce
Fixed in 1.0.2
Plugin icon
addify-price-calculator-for-woocommerce
No known fix
Plugin icon
addify-product-dynamic-pricing-and-discounts
No known fix
Plugin icon
addify-product-labels-and-stickers
Fixed in 1.1.0

References

CVE
CVE-2022-4888

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
WPScan
Verified
Yes
WPVDB ID
2c2379d0-e373-4587-a747-429d7ee8f6cc

Timeline

Publicly Published
2023-07-10 (about 2 years ago)
Added
2023-07-10 (about 2 years ago)
Last Updated
2023-12-19 (about 2 years ago)

Other

Published
Title
Published
2025-01-16
Title
Universal Analytics Injector <= 1.0.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-01-24
Title
Side Menu Lite < 5.3.2 - Cross-Site Request Forgery to Settings Update
Published
2025-02-16
Title
WP-PManager <= 1.2 - Admin+ SQL Injection
Published
2014-12-18
Title
Tweetscribe <= 1.1 - Multiple CSRF
Published
2024-12-05
Title
eewee admin custom <= 1.8.2.4 - Cross-Site Request Forgery to Privilege Escalation